cfusion.txt

` L0pht Security Advisory  
-------------  
  
URL Origin: http://www.l0pht.com/advisories.html   
Release Date: April 20th, 1999   
Application: Cold Fusion Application Server   
Severity: Web users can download, delete and even upload   
executable files to a Cold Fusion server. Access   
is not limited to files under the web root.   
Author: [email protected]   
Operating Sys: All platforms   
  
-------------  
  
  
I. Description   
  
In issue 54, volume 8 of Phrack Magazine dated December 25, 1998,   
rain.forest.puppy <[email protected]> describes a security problem with   
installations of Cold Fusion Application Server when the online   
documentation is installed. The online documentation is installed by   
default. According to Phrack, the vulnerability allows web users to view   
files anywhere on the server.   
  
On February 4, 1999, Allaire posted a fix on their web site   
(www.allaire.com) and also recommend that documentation not be stored   
on production servers. They also acknowledge that the hole allows web   
users to read and also delete files on the server. The patch   
successfully fixes the problem if you decide to keep the documentation   
on the server.   
  
In examining an unpatched Cold Fusion Application Server it became   
apparent that in addition to reading and deleting files, web users also   
have the ability to upload (potentially executable) files to the server.   
  
A cursory survey of many large corporate and e-commerce sites using Cold   
Fusion turned up many vulnerable servers. The purpose of this advisory is   
to stress how important it is to use the patch that Allaire provides or   
take other measures to prevent web users from accessing this security   
hole.  
  
  
II. Details  
  
By default, the Cold Fusion application server install program installs   
sample code as well as online documentation. As part of this collection   
is a utility called the "Expression Evaluator". The purpose of this   
utility is to allow developers to easily experiment with Cold Fusion   
expressions. It is even allows you to create a text file on your local   
machine and then upload it to the application server in order to   
evaluate it. This utility is supposed to be limited to the localhost.   
  
There are basically 3 important files in this exploit that any web user   
can access by default: "/cfdocs/expeval/openfile.cfm",   
"/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm".   
The first one lets you upload a file via a web form. The second one saves   
the file to the server. The last file reads the uploaded file, displays   
the contents of the file in a web form and then deletes the uploaded file.   
  
The Phrack article and the advisory from Allaire relate to "exprcalc.cfm".   
A web user can choose to view and delete any file they want. To view and   
delete a file like "c:\winnt\repair\setup.log" you would use a URL like:   
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log   
  
This exploit can be taken a step further. First go to:   
http://www.server.com/cfdocs/expeval/openfile.cfm   
  
Select a file to upload from your local machine and submit it. You will   
then be forwarded to a web page displaying the contents of the file you   
uploaded. The URL will look something like:   
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt   
  
Now replace the end of the URL where it shows ".\myfile.txt" with   
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web   
users can now use "openfile.cfm" to upload files to the web server   
without them being deleted. With some knowledge of Cold Fusion a web user   
can upload a Cold Fusion page that allows them to browse directories on   
the server as well as upload, download and delete files. Arbitrary   
executable files could placed anywhere the Cold Fusion service has   
access. Web users are not restricted to the web root.   
  
Frequently, Cold Fusion developers use Microsoft Access databases to   
store information for their web applications. If the described   
vulnerability exists on your server, these database files could   
potentially be downloaded and even overwritten with modified copies.   
  
The most concerning aspect of this vulnerability is that with a text   
editor and a web browser, web users are able to download password files,   
other confidential information and even upload executable files to a web   
server.  
  
III. Solution  
  
Allaire has posted a patch to this vulnerability. This is currently   
available at:  
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full  
In addition to this, it is recommended that the documentation and   
example code not be stored on production servers.  
  
For specific questions about this advisory, please contact   
[email protected]  
  
  
  
---------------  
For more L0pht (that's L - zero - P - H - T) advisories check out:  
http://www.l0pht.com/advisories.html  
---------------  
  
------------------------------------------------------------------------------------  
  
Date: Wed, 21 Apr 1999 08:43:08 -0500  
From: Weld Pond <[email protected]>  
To: [email protected]  
Subject: L0pht Security Advisory: Cold Fusion App Server  
  
Although this vulnerability has been known for a while we think it is  
worse than originally thought. Users can upload and potentially execute  
files on the web server. Furthermore, few sites seem to have fixed the  
problem. Major commercial, government, and military sites have been found  
to still be vulnerable. We hope this advisory helps get the word out to  
all those webmasters.  
  
-weld  
  
  
`